TL;DR:
Question: how do I configure Tripwire to watch EVERYTHING that is below a certain path? My current config seems to only be looking at certain files / directories in a given path instead of everything.
Background / Full story:
I've recently installed Tripwire on a server that had some vulnerable PHP code. I added a rule called "Websites" that includes a number of sites that are run from the server (snippet below).
# Rulset for websites
(
rulename = "Websites",
severity = $(SIG_HI),
emailto = "webmaster@hackedsite.com"
)
{
/home/foouser1/www/ -> $(SEC_CRIT) (recurse = 1);
/home/foouser2/www/ -> $(SEC_CRIT) (recurse = 1);
/home/foouser3/www/ -> $(SEC_CRIT) (recurse = 1);
/home/foouser4/www/ -> $(SEC_CRIT) (recurse = 1);
/home/foouser5/www/ -> $(SEC_CRIT) (recurse = 1);
/home/foouser6/www/ -> $(SEC_CRIT) (recurse = 1);
/home/foouser7/www/ -> $(SEC_CRIT) (recurse = 1);
/home/foouser8/www/ -> $(SEC_CRIT) (recurse = 1);
/home/foouser9/www/ -> $(SEC_CRIT) (recurse = 1);
/home/foouser10/www/ -> $(SEC_CRIT) (recurse = 1);
/home/foouser11/www/ -> $(SEC_CRIT) (recurse = 1);
/home/foouser12/www/ -> $(SEC_CRIT) (recurse = 1);
}
I then updated the policy using:
/usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt
I entered my site key as expected, and the policy was updated without error.
When I run a check, there are no errors and no violations.
Then, to test it, I added an extra space to one of the files (/home/foouser1/www/foo/bar/js/script.js
), which had previously (and repeatedly) been compromised. This should trigger a violation.
Re-running the check (tripwire --check -R Websites
-v) shows several issues:
- Tripwire was ignoring the file, even thought it is below the declared file path
/home/foouser1/www
. - It scans a bunch of files that are in
/home/foouser1/www
, but not all of them.
Finally, when I compare the directory contents of /home/foouser1/www
to the number of files scanned by tripwire, there is a huge difference.
find /home/foouser1/www/ -type f -print | wc -l
shows me there are 3,000+ files in that directory that should be watched by tripwire.
find /home/foouser1/www/ -type d -print | wc -l
shows me there are 192 sub directories in that directory that should be watched by tripwire.
Tripwire reports that it only looked at 192 objects.